PHP security programming rules

The check item marked with (*) indicates that this item is a fundamental solution to the problem and should be done with the best effort to complete the content. If the project is not marked (*), it indicates that this item cannot completely eliminate security risks, but this method can be used to avoid security problems.
SQL Injection
(*) Use the SQL variable binding function when combining SQL statements.
(*) If the database does not provide variable binding, escape all the variables that constitute the SQL statement.
Do not display the error information in the browser.
Set appropriate permissions for database users.
Operating System Command Line injection
(*) Avoid using a language that can start shell commands.
If shell commands can be started in the language used, you must check all variables of the parameter types of this function to ensure that only valid operations are included.
Do not check path name parameters/Directory Traversal
(*) Do not directly use external parameters as file names.
(*) Restrict the file opening operation to a fixed directory and prohibit the file name from containing the path.
Set correct access permissions for files on the Web server
Check file name
Session management problems
(*) Use difficult-to-guess content as the session ID
(*) Do not save the session ID in the URL
(*) Set the secure attribute for the cookie used in the https protocol
(*) A new session is generated after logon.
(*) After successful logon, a secret information is generated out of the session ID, which is checked every time the page is accessed.
Do not use a fixed value as the session ID
When saving session IDs to cookies, you must set a validity period.
XSS)
Solution when HTML content cannot be entered
(*) Escape all content output to the page
(*) Only URLs starting with "http: //" or "https: //" can be output.
(*) Do not dynamically generate <script>... </Script> content
(*) Do not read style sheets from external websites
Check input content
Solution when HTML content is allowed
(*) Parse the entered HTML content, generate the parsing tree, and then extract the non-script part.
Use scripts to delete related strings in the input HTML content
General Solution
(*) Re-specify the charset attribute of Content-Type in the HTTP header of the response
To prevent Cookie information leakage, the Trace method should be disabled and HttpOnly attributes should be set for all cookies.
Cross-Site Request Forgery (CSRF)
(*) All pages are accessed through POST. A random information is generated in the hidden of the previous page. After the submitted page is checked, the information is executed only when the information is correct.
(*) Enter the password again before executing the business.
(*) Check whether the Referer is correct. It is executed only when the Referer is correct.
Send emails to the pre-configured email address when performing important operations
HTTP header Injection
(*) Does not directly output HTTP headers, but uses the header information output API provided by the runtime environment.
(*) When you cannot use the API, disable line breaks in the input header information.
Delete line breaks from all external inputs
Email theft (sending emails to a specified address by attackers through some means)
(*) Do not use external parameters as the mail header information